From: intel96 (intel96@bellsouth.net)
Date: Wed Apr 09 2008 - 19:41:47 EDT
Hi Atif,
While Core Impact is a great tool, it is only that a tool. For example,
Tool-vs-Human...not to long ago, I had to prove my professional salt to
a customer concerning a potential pentest project. My skills were
tested against a security tool vendor, which was using their tool as a
selling point. The security vendor lost, because their tool did not
find any vulnerabilities. The reason the tool lost was, because it
could not think like a human. Which is my main point!
Sometimes by stepping back and looking at the underlying site you may
find a vulnerability. For example, the tool vendor lost, because it
was not designed to identify or find vulnerabilities in SAP web-enabled
applications.
More non-tool examples:
Once, I found a major security issue by reviewing the source code on the
web site. Within the source code I found a username and password that
was left over by the development team.
Another time, I modified a web site's underlying source code to gain
access to multiple customer accounts.
Another time, I used Google to find customer usernames and passwords for
test site that linked into the production database.
I could continue this list, but why...my point is to take a step back
and look at the site(s) without any automated tools to see what may lay
underneath the covers.....
Sorry for the lecture, but I have had my share in the last few decades
too............
Good luck with the project!
Cheers,
Intel96
Atif Azim wrote:
> Hello,
> I am new to pen testing and am currently involved in doing an external
> pen test for one of our clients.We are doing it through Core
> Impact.Reconnaisance showed only port 80 as open and the web server
> running IIS 6.0.Core Impact did not find any vulnerabilities in the
> server and hence was unable to penetrate.The web application was also
> tested for SQL Injection and PHP remote file inclusion and did not
> find any vulnerabilities there either.
>
> My question is what else can we do besides relying on Core Impact for
> this pen test.And what impression can a client get if we say to them
> that there are no vulnerabilites in your network or web app.Its
> dificult to digest something like that for a security specialist that
> everythings alright.
>
> Looking forward to some great views.Thanks.
>
> Regards,
> Atif Azim
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:30 EDT